The number of cyber-attacks has soared in recent years, with 72% of large organisations and 36% of small businesses experiencing cyber-attacks in the UK so far in 2023. With such high costs at stake, the cyber insurance industry has increased premiums and decreased coverage for policies relating to cybersecurity. While it is vital to have cyber insurance to protect against the financial fallout of a cyber event, it’s crucial to understand what’s covered and, more importantly, what’s not. In this article, we’ll delve into the often-overlooked aspects of these policies and shed light on the potential blind spots that could leave your business exposed to catastrophic risks.
Understanding cyber insurance exclusions
The potential consequences of a cyber-attack on a business can be devastating. Not only can a company suffer financial losses and reputational damage, but it may also face legal liabilities and regulatory penalties. This is why a growing number of organisations are turning to cyber insurance as a way to protect themselves from these risks. However, it’s important to remember that not all cyber insurance policies are created equal, and understanding the exclusions in your policy is crucial to ensure you’re adequately covered.
Exclusions are provisions in an insurance policy that specify what is not covered by the policy. In the case of cyber insurance, these exclusions can be particularly important, as they can leave your business vulnerable to certain types of cyber attacks or incidents that you may have assumed were covered. By familiarising yourself with the common exclusions and carefully reviewing your policy, you can identify potential gaps in your coverage and take steps to address them.
Moreover, understanding your policy’s exclusions can help you make informed decisions about your cyber risk management strategy. By knowing what risks are not covered by your insurance, you can prioritise your efforts to mitigate those risks and allocate resources accordingly. In this way, understanding cyber insurance exclusions is not only essential for protecting your business, but it’s also a key part of a comprehensive cyber risk management plan.
Common cyber insurance exclusions explained
While the specific exclusions in a cyber insurance policy can vary depending on the insurer and the individual policy, there are several common exclusions that you should be aware of. These include:
- Acts of war and terrorism: Many cyber insurance policies exclude coverage for damages resulting from acts of war, terrorism, or state-sponsored cyber attacks. This can be a significant exclusion, especially for organisations that operate in high-risk industries or regions.
- Bodily injury and property damage: Cyber insurance policies typically focus on covering financial losses and liabilities resulting from a cyber event, but they usually exclude coverage for bodily injury and property damage. If a cyber attack results in physical harm or property damage, your general liability or property insurance may be more appropriate.
- Contractual liabilities: Some cyber insurance policies exclude coverage for liabilities arising from contractual agreements, such as indemnification clauses or service-level agreements. This means that if your company is contractually obligated to compensate a third party for losses resulting from a cyber incident, your cyber insurance policy may not cover those costs.
- Criminal or intentional acts by insureds: Cyber insurance policies typically exclude coverage for losses resulting from criminal or intentional acts committed by the policyholder or its employees. This is a standard exclusion in most insurance policies, as insurers do not want to incentivize illegal or unethical behaviour.
- Lack of security measures: Most cyber insurance providers will have specific criteria concerning cybersecurity measures and policies to protect data. Failure to comply with these can mean exclusion from insurance coverage.
- Critical national infrastructure: Losses resulting from the failure or outage of critical national infrastructure, such as electricity, gas, water, satellite, or telecommunications, are not covered. This is because the risk is too significant and beyond the ability of individual insurers, similar to war and terrorism.
- Fines or penalties: Cyber insurance does not provide coverage for any legal fines, penalties or sanctions that your business may be required to pay, whether they are criminal, civil or regulatory.
- Jurisdiction: It’s important to verify the geographical coverage of a cyber policy. Typically, policies bought in the UK offer protection in the European Union and many other parts of the globe, but they may not cover North America.
Tick the cyber insurance boxes with the security experts at Intelliworx
Every organisation has its own unique set of risks and vulnerabilities when it comes to cyber threats. As such, it’s important to be aware of what cyber liability insurance exclusions are in your policy to ensure that you have adequate protection in place. Don’t want to go it alone? The cybersecurity professionals at Intelliworx can help your business maintain the standards that cyber insurers require and ensure you are covered for all eventualities.